From 50b323aa797536cfaef94a89f79c3f64371bea4f Mon Sep 17 00:00:00 2001
From: lzhgus <lzhgus@gmail.com>
Date: Sat, 11 Apr 2026 08:48:27 -0700
Subject: [PATCH] fix: add explicit permissions to CI workflow

Restrict GITHUB_TOKEN to contents:read in ci.yml to follow the
principle of least privilege. Resolves CodeQL code-scanning alert.
---
 .github/workflows/ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e088fd9..6013b5c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: macos-15